RepoJournal
Kubernetes

@kubernetes

Container orchestration — what platform teams ship on

Pick a date

  1. Mon 4 may
  2. Tue 5 may
  3. Wed 6 may
  4. Thu 7 may
  5. Fri 8 may
  6. Sat 9 may
  7. Sun 10 may
  8. Mon 11 may
  9. Tue 12 may
  10. Wed 13 may
  11. Thu 14 may
  12. Fri 15 may
  13. Sat 16 may
  14. Sun 17 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

DESCHEDULER V0.36.0 SHIPS; GCP PROVIDER TIGHTENS SOCKET SECURITY

By RepoJournal · Filed · About Kubernetes

Descheduler images promoted to v0.36.0 across all architectures as cloud-provider-gcp hardens Unix socket permissions to block privilege escalation.

The descheduler v0.36.0 release is now live with images promoted across amd64, arm64, and arm platforms [1], clearing the path for clusters running pod eviction workflows. In security news, cloud-provider-gcp restricted Metis IPAM daemon socket permissions to 0600 [2], eliminating a privilege escalation vector where overly permissive umask could allow unauthorized access to the CNI socket. The same repository also patched an index-out-of-range panic in IPAM's subnetwork parsing [3] and anchored NetworkAttachment validation regex to prevent malformed identifiers from corrupting cluster state [4]. Test infrastructure made two major moves: periodic E2E tests are migrating from legacy kubetest2 to kOps-based conformance infrastructure [5], and DRA canary jobs are experimenting with direct e2e_node.test invocation instead of kubetest2 wrappers [6]. Leadership changes at etcd come as Ivan and Siyuan join, James and Wenjia retire [7]. The website team reorganized probe documentation under a unified concepts/workloads/pods/probes path [8] and published a Kubernetes v1.36 Memory QoS post in Chinese [9].

Action items

References

  1. [1] [descheduler v0.36.0] promote images ↗ kubernetes/k8s.io
  2. [2] metis/daemon: restrict Unix domain socket permissions (#1131) kubernetes/cloud-provider-gcp
  3. [3] IPAM: Fix index out of range panic in extractDefaultNwCIDRs (#1133) kubernetes/cloud-provider-gcp
  4. [4] gnp: anchor NetworkAttachment validation regular expression (#1135) kubernetes/cloud-provider-gcp
  5. [5] feat(e2e): migrate periodic E2E tests to kOps ↗ kubernetes/cloud-provider-gcp
  6. [6] DRA: experiment with E2E node testing without kubetest2 ↗ kubernetes/test-infra
  7. [7] Bring etcd leadership up to date. ↗ kubernetes/k8s.io
  8. [8] Move probe concept pages to new concepts/workloads/pods/probes.md ↗ kubernetes/website
  9. [9] blog(zh-cn): add v1.36 Memory QoS post ↗ kubernetes/website

FAQ

What changed in Kubernetes on May 20, 2026?
Descheduler images promoted to v0.36.0 across all architectures as cloud-provider-gcp hardens Unix socket permissions to block privilege escalation.
What should Kubernetes teams do about it?
Pull descheduler v0.36.0 images if running pod eviction; verify architecture match • If running cloud-provider-gcp with Metis IPAM, upgrade immediately for socket permission hardening • Watch DRA E2E node testing migration; kubetest2 deprecation imminent
Which Kubernetes repositories shipped on May 20, 2026?
kubernetes/k8s.io, kubernetes/cloud-provider-gcp, kubernetes/test-infra, kubernetes/website

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.